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Future-Proof  your 
IT  with  Smarter  Servers 


rRoy  Cahn-Speyer  manages 
HP's  BladeSystem  enclosure 
and  two-socket  server  busi¬ 
ness  for  the  Americas.  He 
is  responsible  for  product 
launches  market  development  and  transition  planning. 


What  will  the  typical  two-socket 
server  look  Hke  in  live  years? 

The  industry  is  trending  toward  a  server 
with  64  eores,  4TB  to  STB  of  memory  and 
two  100Gbit  network  ports.  We  think 
it  will  be  eapable  of  hosting  ?00  to  500 
virtualmaehines. 


Not  a  pretty  picture.  That's  why  at  HP, 
we’ve  started  three  multiyear  projects  to 
address  the  server  of  the  future.  Projtcl 
Moonshot  leverages  hundreds  of  low- 
power  processors,  like  the  ones  in  cell 
phones,  each  running  its  own  ropy  of 
Linux  for  applications  like  Web  host¬ 
ing  or  Hadoop.  Project  Odipsey  aims  to 
improve  server  reliability  and  fault  toler- 


uptime,  simplify  server  management 
and  decrease  total  cost  of  ownership. 
These  goals  arc  met  by  the  ProLiant  GenS 
servers,  which  feature  a  new  version  of 
the  HP’s  Integrated  Lights-Out  processor 
(iLO  4)  ilO  4  delivers  a  complete  set  of 
intelligent,  automated  management  fea¬ 
tures  for  self-analysis  and  healing,  from 
initial  deployment  to  daily  management, 
service  alerting  and  remote  support.  On 
the  performance  and  value  side,  AMD 
Opteron  6200  Series  processors  offer 
the  industry’s  highest  core  density  and  . 
the  exceptional  price/performance  that 
AMD  is  known  for. 

Can  you  explain  how  ILO  4  delivefs  a 
smarter  and  more  automated  server? 

iL04  is  like  a  computer  inside  each 
ProLiant  GenS  server.  It  is  connected  to 


When  you’re  counting  on  a  server  farm  to  power  your 
business,  you  want  a  smarter  server  with  intelligence 
close  to  the  application. 


anee  by  adapting  teehnology  from  our 
Nonstop  and  Business  Critical  Systems 
Group  to  Windows  and  Linux.  And 
Project  Vbjugrr,  which  adds  intelligence  to 
our  servers,  helping  to  increase  uptime, 
automate  server  management  and  reduce 
the  need  for  staff  imervention.  In  fact,  the 
HP  ProLiant  GenS  blade,  tower  and  rack- 
mount  servers,  launched  in  March,  are 
the  first  deliverables  of  Project  Voyager. 


end  by  AMD  Opteron™  6200  Series 
processors  meet  the  business  needs 
of  CIOs  today? 


all  server  subsystems  and  has  a  4GB  flash 
memoiy  iLO  4  enables  agentless  phone 
home  functionality,  which  makes  remote 
management  painless.  HP  will  even  help 
you  manage  your  servers  via  our  free 
cloud-based  Insight  Online  portal  hosted 
on  hp.com.  In  addition,  the  new  Active 
Health  System  continually  monitors  and 
logs  1600  parameters  to  the  4GB  flash 
memory  so  even  the  trickiest  problems 
can  be  root-caused  up  to  five  times  faster. 
We  also  made  initial  deployment  easier 
by  eliminating  the  need  for  CDs.  Drivers 
and  firmware  needed  to  install  an  operat¬ 
ing  system  are  now  embedded  in  iLO  4. 


and  drivers,  HP  offers  the  free  Smart 
Update  application  that  automatically 
sequences  every  step  in  the  correert  order 
and  requires  a  maximum  of  one  reboot, 
which  takes  the  risk  out  of  firmware  and 


How  is  the  performance  running 
compute-intensive  workloads? 

The  AMD  Opteron  6200  Series  proces¬ 
sors  deliver  a  major  boost  in  price/per¬ 
formance.  Available  with  4-,  8-,  12-  or  16- 
core  AMD  processors,  the  ProLiant  Gen 
8  servers  feature  the  highest  core  density. 
TVrfce  the  cores  per  server  lets  you  host 
virtual  machines  with  a  dedicated  core 
for  each  VM.  It  also  lets  you  serve  more 
database  users  and  solve  more  complex 
HPC  problems.  The  GenS  server  design 
with  AMD  Opteron  6200  Series  proces¬ 
sors  balances  flexibility,  expandability 
and  energy  efficiency. 

What  advice  would  you  offer  aos 
looking  to  future-proof  their  server  In¬ 
frastructure?  when  you’re  counting  on  a 
server  farm  to  power  your  business,  you 
want  a  smarter  server  with  intelligence 
close  to  the  application.  This  will  enable 
you  to  automate  manual  operations,  low¬ 
er  operating  costs  and  increase  uptime. 
Moving  in  this  direction  is  a  journey.  We 
believe  the  ProLiant  GenS  server  with 
AMD  is  an  excellent  place  to  start. 
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Custom  Solutions  Grouo 


If  "lowest  cost  per  virtual 
machine”  doesn't  get  you, 
its  1 50  design  innovations  will. 


<c.  powered  by  AMD  Opteron™  6200  Series 
processors,  offers  1 50  customer-inspired  design  innovations  and  features  intelligent 
Provisioning  so  you  can  deploy  servers  3X  faster  with  45%  fewer  steps,*  All  for  1 5%  less 
per  server.*  it  adds  up  to  more  innovation  and  performance,  for  less. 

The  power  of  HP  Converged  Infrastructure  is  here. 

Learn  more  with  the  IDG  white  papers  Virtual  Machines 
Find  ideal  Physical  Name  and  Transforming  Your  Database 
from  a  Pain  Point  to  a  Power  Point. 

Visit  fip.tom/go/gen8biadeserver3  or  scan  the  QH  code. 
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/  thet" data  center  is  here 

i- 


The  solution  for  automated  scalability. 

BiCi  1C.  VCS  r  ,1  .  .  Ml,  .  . 


Find  an  easier  way  to  manage  your  virtual  infrastructure. 
Visit  brocade.com  everywhere 
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The  New  Rules 
of  Cyberwar 


18  Critical  infrastructure  providers  face  off  against  a  rising  tide  of  increasingly  sophisticated 


Time  Off  to  Innovate 


24  Savvy  IT  departments  that  set 
aside  time  for  employee  creativity 
say  the  payoffs  include  happier 
workers,  increased  productivity 
and  sometimes  more  revenue. 


Why  Passwords 
Still  Fail  Us 

28  Three  decades  into  the  digital 
revolution,  passwords  are  still 
complicated,  ineffective  and  a  drain 
on  irs  resources.  What  gives? 


ELECTION  WATCH 


E-Voting  Results;  Thist,  but  Verify 


Hackers  in  Iran  have  claimed 
responsibility. 

"This  has  been  an  eye-opening 
experience,"  said  Weatherford, 
speaking  at  a  cybersecurity  aware- 


The  Key  to 


Application  Business 


InterSystems'  application  platform  is  the 
key  to  rapidly  building  a  new  generation  of 
breakthrough  applications  that  provide  the 
scalability,  connectivity,  and  analytical 
capability  users  want  today. 

Our  platform  unifies  three  advanced 
systems  for  data  management,  integration, 
and  anal)dics.  This  enables  programmers  to 
embed  three  rich  functionalities  all  at  once, 
reducing  development  cycles. 

With  our  advanced  platform,  developers 
rapidly  build  complex  applications  that  can 
be  implemented  quicker,  integrated  easier, 
and  operated  with  minimal  administration. 
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InterSystems.com /Key  5  A 
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Burst 


Citinga  slump  tn  the 
PC  market.  AMD  says 
it  will  lay  off 

L800 


Today,  99%  of  the  Fortune  Global  500  rely  on  VMware’,  the  leader  in  virtualization. 
With  VMware,  you  can  leverage  your  existing  IT  infrastructure  as  you  migrate  to  a 
secure,  managed  and  highly-automated  cloud  solution.  It’s  not  just  about  getting 


to  the  cloud.  It’s  about  getting  to  your  cloud.  . _  ^ 

vmware 


The  power  behind  your  cloud. 


Visit  vmware.com/whiteboard 
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Windows  8  Faces 
A  Slow  Road  to 
The  Enterprise 

As  Microsoft’s  next-generation  operating 
system  finally  makes  its  debut,  it  faces  a 
high-stakes  battle  with  iOS  and  Android. 

By  Patrick  Thibodeau  and  Joab  Jackson 


Any  early  success  will  have  to  come 
from  consumers,  because  enterprises  aren’t  likely  to  quickly 
adopt  Windows  8.  according  to  research  firm  Gartner. 

There  are  no  compelling  business  imperatives  to  drive  legacy 
devices  in  business  toward  Windows  8,"  said  Gartner  analyst 
Peter  Sondeigaaid  at  his  firm's  annual  Symposium/lTexpo  con¬ 
ference  last  month.  He  predicted  that  any  widespread  corporate 
move  to  Windows  8  won’t  happen  until  “at  least  2014." 

Gartner  said  its  projection  doesn’t  mean  Windows  8  is  already 
on  the  ropes.  Large  enterprises  rarely  move  quickly  to  new 
Microsoft  operating  systems.  Applications  have  to  be  tested,  and 
many  IT  shops  wait  for  the  release  of  the  first  service  pack. 

Gartner  analysts  expect  to  see  selective  rollouts  of  Windows  8. 
The  emergence  of  tablets  and  smartphones  as  the  primary  tools 
for  some  enterprise  workers,  such  as  salespeople,  means  the  days 
of  massive,  enterprisewide  upgrades  of  a  single  standard  platform 

Derek  Minnich,  an  IT  program  manager  at  a  company  that  he 
asked  not  be  named,  said  his  employer  has  used  Windows  7  for 


MIDSIZE  BUSINESSES  ARE  THE  ENGINES  OF  A  SMARTER  PLANET 


FROM  LIMITED  IT.  RESOURCES 
TO  UNLIMITED  POTENTIAL. 


FOR  MIDSIZE  BUSINESSES. 
A  REDEFINING  MOMENT. 

In  the  past,  midsize 
organizations  with  big  ideas 
were  constrained  by  limited 
IT  resources.  Not  anymore. 
With  the  arrival  of  scalable, 
affordable  cloud  computing. 


REINVENT  WITHOUT 
REINVESTING  IN  I.T. 

LINK  wanted  a  faster,  more 


Working  with  a  powerful 
facial  recognition  solution 
created  by  IBM  Business 


sophisticated  ideas  for  new 
products  no  longer  languish. 
Personalized  customer 


Partner  nWso  in  the  IBM 
SmartCloud™  LINK  is 
now  capturing  respondent 
reactions  to  marketing 
messages  in  real  time,  via 
home  webcams.  Scores  are 
generated  every  second  for 
7  emotions.  And  LINK  gets 
its  results  up  to  90%  faster. 


markets  are  being  created 
every  day. 


Rei/ut  f  FirM  Coat 


It's  shaking  up  industries  and 
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Inside  the 
DreamWorks 
Data  Center 

The  movie  studio  invests  heavily  in  IT  to  keep 
its  animation  artists  efficient  -  and  happy. 
By  Lucas  Mearian 


animation  artists  have  the  tools  they 
need.  Cutler  said  during  a  recent  tour 
of  the  company’s  studio  and  data 
center  in  Redwood  City,  Calif. 

The  data  center  features  about 
3.8  petabytes  of  disk  storage  capacity 
and  4,000  servers  with  25,000  CPU 

DreamWorks,  which  has  two 
studios  in  the  U.S.  and  one  in  India, 
tries  to  release  three  animated  movies 
a  year.  One  film  takes  about  three 
years  to  create,  so  the  company  is 

tions  at  any  one  time. 

The  studio  must  invest  in  IT  "to 
make  sure  our  artists  and  engineers 
stay  happy,"  said  Kate  Swanborg,  head 
of  enterprise  marketing.  “If  we  don’t 
stay  a  couple  steps  ahead  of  state-of- 
the-art,  they’ll  try  to  find  it  somewhere  else.” 

The  processing  power  and  storage  capacity  required  to 
produce  computer-generated  3D  films  can  be  tremendous  — 
DreamWorks  uses  more  than  300  high-end  workstations. 

The  studio’s  servers  run  some  400,000  processing  jobs  per  day 
arrd  use  Red  Hat’s  Enterprise  MRG  integrated  high-performance 
computing  platform  to  schedule  those  jobs.  “Most  of  it  is  done  in 
parallel,”  Cutler  said. 

Not  including  developers  working  directly  on  film  productions, 
DreamWorks  has  150  software  engineers  who  write  appUcations 
and  keep  them  and  third-party  products  running  smoothly,  said 
Jeff  Wike,  director  of  R&D  at  the  Redwood  City  studio.  About 
20%  of  the  company’s  software  engineers  have  Ph.D.s,  he  added. 

For  the  past  three  years,  the  software  engineers  have  been 
“parallelizing  [in-house]  software”  to  take  advantage  of  the  latest 
Intel  th-cote  Sandy  Bridge  processors  in  its  servers,  Wike  said. 

“We  don’t  write  all  of  our  software,  but  we  do  write  a  lot  of  it. 
We  buy  where  we  can  and  build  where  we  must,”  he  said. 

The  cost  of  producing  a  DreamWorks  film  can  be  staggering: 


Three  ways  to  prevent  human  error  in  IT  spaces! 


B>  Make  the  most  of  your  IT  space!  Download 
ourTop  3  solution  design  guides  today  and 
entertowinaniPad' 2. 


/VPC 


AnENTION  CRC:  v473v 
APC  BY  SCHNEIDER  ELECTRIC 
132  FAIRGROUNDS  ROAD 
WEST  KINGSTON  Rl  02892-9901 
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Only  our  IT  physical  infrastructure  is 
as  dynamic  as  your  business  needs. 


Christopher 

Perretta 

With  technology  as 
the  driver,  this  CIO 
maps  a  financial 
giant’s  strategy. 


what's  th*  most  effective 
approach  to  time  management? 
■Don't  sweat  the  smaii  stuff." 


Is  there  anything  that  very  few 


'm  an  ex-medkai  engineer." 


STATE  STREET’S  executive  vice  president  and  CIO,  Christopher  Perretta,  says 
technology  is  leading  the  transformation  of  the  financial  services  industry.  In 
any  organization  at  any  time,  that's  no  small  task,  but  Perretta  says  it's  particu¬ 
larly  challenging  given  the  state  of  the  economy  in  the  past  several  years.  But  he 
welcomes  the  opportunity.  “I  aspire  to  be  a  change  agent,"  says  Perretta,  who  leads  a  team 
of  more  than  5,000  employees  and  contractors  that  supports  operations  in  27  countries.  His 
leadership  was  recognized  earlier  this  year,  when  he  received  an  MIT  Sloan  CIO  Symposium 
2012  Award  for  Innovation  Leadership.  The  award  honors  CIOs  who  lead  their  organizations 
to  pursue  the  innovative  use  of  IT  and  business  processes  to  deliver  business  value. 


n?  I  think  the  team  at  State  Street  has 
done  a  great  joh  at  really  putting  new  technology  into  a  business  context,  and  they’re 
making  a  difference  with  the  business.  They’re  a  very  customer-centric  group  and  a 
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55D  840  PRO. 

Performance  at  a  different  level. 


SAIVISUIMG 


SAMSUNG 


THE  GRILL  1  CHRISTOPHER  PERRETTA 


Law,  where  processing  power  doubles  every  i8  months 


U  Everything 
we  do  from  a 
development 
standpoint 
has  to  have  a  commercial 
return.  It's  as  straight¬ 
forward  as  that 


technical  architect 
We've  elevated  that 

firm-wide  endeavor, 
and  that  has  greatly 
enhanced  our  ability 
to  deliver  solutions  in 


What  are  the  most 
important  qualities 
inanITieadertoday? 

It's  very  easy  to  get 
into  the  tech  tactical 

side  of  what  we  do  and  the  incident  management  side 
of  what  we  do,  and  one  has  to  fight  to  free  up  the  re¬ 
sources  and  the  brain  space  to  develop  strategies  and 
execute  on  them.  You  get  sucked  into  the  day-to-day, 
and  you  have  to  make  an  effort  to  build  capabilities 
that  are  geared  for  five  years  from  now.  You  can't  lose 
the  day-to-day,  but  you  can't  forgo  the  strategy.  And 
then  you  have  to  execute  on  the  strategy.  So  you  have 
to  build  the  oiganization  and  work  with  the  people. 
[You  have  to  determine:]  Are  you  putting  the  right 
people  in  the  right  spot  and  giving  them  the  right 
type  of  autonomy  to  do  their  jobs? 

How  wmM  you  suuMiartat  your  vWm  for  IT  at  State 
Street?  In  financial  services,  technology  plays  an 
expansive  role.  It  is  the  physical  manifestation  of  the 
product.  We're  both  engineering  and  manufacturing 
and  maintaining  [the  product],  and  we  actually  drive 
the  car.  And  as  technology  grrrws  —  and  with  Moore's 


tion?  wJkind  of  M  at  it  as  a  pipelini  We  h^e  a 
couple  of  groups  that  are  part  of  that  pipeline.  We 
have  a  chief  scientist,  and  his  job  is  to  say,  "What 
are  the  technologies  out  there  that  are  likely  to  be 
impactful  to  our  business,  what  are  the  potential 
uses  of  social  media,  or  when  should  we  be  looking 
at  certain  hardware  technologies?"  Then  we  have  the 
architecture  group,  which  is  really  chartered  with 
piloting  new  technologies  and  new  approaches  in 
real-world  envirotunents  to  demonstrate  utility  to  the 
approach  or  technology.  And  when  they're  successful, 
we  industrialize  it  for  use  by  the  whole  organization. 

I  always  tell  my  head  of  architecture  be  has  to  be 
three  or  four  years  out  for  me,  because  those  are  the 
kind  of  horizons  the  business  uses. 


large  oiieration?  We  don't  think  about  it  as  pas.sing 
work  around  the  globe.  It's  not  like,  “Send  this  work 
over  to  China  to  get  done  or  down  to  New  Jersey." 
Instead,  we  think,  “We  have  a  team  made  up  of  people 
from  around  the  world."  And  when  you  do  that,  it's 
a  lot  easier  because  they're  working  together.  We 
also  benefit  from  the  [fact]  that  75%  of  the  vrork  we 
do  is  for  global  consumption,  so  they’re  consistently 
considering  the  implication  to  all,  not  just  for  North 
America.  That  helps  teams  stay  together.  1  think  State 
Street  has  a  strong  culture  in  its  own  right,  too,  that’s 
about  global  inclusion  and  serving  those  customers. 
And  our  customers  ate  more  global  than  ever  before. 
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Data  exists  to  provide  support.  Helping  people  use 
it  to  beat  the  odds  is  what  we  do. 

When  used  efficiently  and  effectively,  data  can  improve  lives. 
From  helping  first  responders  access  the  right  data  in  an 
emergency,  to  providing  caregivers  accurate  medical  information 
to  heal  their  patients,  we  help  the  brave  improve  their  chances. 
If  you're  looking  for  a  global  partner  with  the  expertise  to 
create  unique  IT  solutions  and  consulting  for  your  business  and 
customers,  NTT  DATA  is  tor  you.  Get  to  know  us  at  nttdata.com. 

data  for :  the  people 

NTToaxa 

Global  IT  Innovator 


OPINION 


M.VAUGHAN-NICHOLS 


Grandpa  the  Programmer 


Too  many 
ofusofa 
‘certain  age’ 
are  facing 
an  IT  work 
environment 
that’s  hostile 
to  older 
workers. 


StevmJ.Vau(han- 
Nidiots  lias  been 


I’M  56.  I’m  not  a  grandfather  —  not  yet  anyway  —  but  I’m  old  enough 
to  be  one.  I  first  used  the  Internet  in  the  ’70s.  My  first  programming 
language  was  IBM  360  Assembler.  My  first  operating  system  was  the 
IBM  mainframe’s  OS/360. 1  was  the  first  journalist  to  write  about  this 
new  network  service  called  the  Web  and  say  it  just  might  matter. 


You  know  what?  1  think  I  may  just  know  a  wee 
bit  about  computing. 

I’m  Bar  from  the  wily  one.  Lately,  thou^,  I’ve  been 
noticii^  that  the  old  meme  about  how  grandpa  can’t 
understand  iPhones,  Linux  or  the  cloud  seems  to  be 
showily  more  often  even  as  it’s  becoming  increas- 

ii^  irrelevant.  I've  been  guilty  of  usii^  it  myself. 

Think  about  it.  The  b^  names  <^our  field?  Dennis 
Ritchie,  creator  of  C  and  Unix,  was  70  when  he  died 
last  year.  Ken  Thwnpson,  co^xeator  of  Unix,  is  67. 
James  Gosling,  founder  of  java,  is  57.  Bill  C^tes  is  56. 
So  is  Steve  Ballmer.  Steve  jobs  was  56  when  he  left 
us.  Tim  Cook,  his  successor  as  head  of  Ap^le,  is  51. 

Linux  and  open  source?  Free  software  founder 
Richard  M.  Stallman  is  59.  His  open  source.philo- 
sophical  rival  Eric  S.  Raymond  is  54.  And  even  Linus 
Torvalds  is  now  on  the  “older”  side  of  40,  at  42. 

And  it’s  not  just  the  big  names:  27%  of  social 
network  users  are  45  or  older. 

We  baby  boomers  like  to  think  of  ourselves  as 
forever  young.  We're  not.  Scnne  of  us  are  now  well 


Man-Month,  a  classic  of  software  management,  blew 
out  the  delusicm  decades  ago  that  simply  throwing 
more  man-hours  at  an  IT  problem  fixes  anything. 

Experience  Counts 

Sadly,  while  that  should  have  put  an  end  to  the 
idea  that  long  hours  are  a  fact  of  IT  life,  this 
remnant  of  our  factory-line  past  lingers  both  in 
high  tech  and  in  other  industries.  But  what  really 
matters  is  who’s  productive  and  who’s  not. 

In  some  jobs,  such  as  law  and  accounting,  the 
billable  hour  is  all.  The  system  encourages  people 
to  burn  as  many  hours  as  possible  on  any  given 
task.  That’s  not  how  it  is  in  IT,  though.  We  need 
to  get  work  done  as  fast  as  possible  with  as  few 
mistakes  as  possible. 

Guess  what?  Experienced  grandpas  or  grand¬ 
mas  who  cut  their  teeth  on  C  can  be  just  as  effec¬ 
tive  as  any  20-year-old  wunderkind  who’s  a  wiz  at 
lavaScript. 

That’s  not  to  say  that  older  workers  are  always 
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information  security  oflficer. 

Then  came  Stuxnet. 

In  2010,  that  malware,  widely 
reported  to  have  been  created  by  the 
U.S.  and  Israel,  reportedly  destroyed 
1,000  centrifuges  that  Iran  was  - 
using  to  enrich  uranium  after  taking 
over  the  computerized  systems  that 
operated  the  centrifuges. 
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RISE  OF  THE  STATE-SPONSORED  ATTACKER 
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Gen.  Michael  Hayden,  principal  at  security  consultancy  The 
Chertoff  Group,  was  director  of  the  National  Security  Agency,  and 
then  the  CIA,  during  the  years  leading  up  to  the  event.  **1  have  to 
be  careful  about  this,”  he  says,  “but  in  a  time  of  peace,  someone 
deployed  a  cyberweapon  to  destroy  what  another  nation  would  de¬ 
scribe  as  its  critical  infrastructure.”  In  takii^  this  step,  the  perpetra- 
tor  not  only  demonstrated  that  control  systems  are  vulneraUe,  but 
also  legitimized  this  kind  of  activity  by  a  nation-state,  he  says. 

The  attack  rattled  the  industry. 
“Stuxnet  was  a  game-chai^r  because 
it  opened  people  s  eyes  to  the  fact  that  a 
cyber  event  can  actually  result  in  (^ysi- 
cal  damage  ”  says  Mark  Weatherford, 
deputy  undersecretary  for  cybersecurity 
in  the  National  Protection  Programs 
Directorate  at  the  U.S.  Department  of 
Homeland  Security. 

In  another  development  that  raised 
awareness  of  the  threat  of  cyberwar,  the 
U.S.  government  in  October  accused 
Iran  of  launching  distributed  denial- 
of-service  (DDoS)  attacks  against  US.  financial  institutions  (see 
related  story,  page  4).  In  a  ^)eech  intended  to  build  support  for 
stalled  legislation  known  as  the  Cybersecurity  Act  that  would 
enable  greater  information  sharing  and  improved  cybersecurity 
standards.  Defense  Secretary  Leon  Panetta  warned  that  the 
nation  faced  the  possibility  of  a  “cyber  Pearl  Harbor”  unless  action 
was  taken  to  better  protect  critical  infrastructure. 

“Awareness  of  the  problem  has  been  the  biggest  change”  since 
the  release  of  Stuxnet,  says  Tim  Roxey,  chief  cybersecurity  officer 


On  the  other  hand,  cybersecurity  is  still  not  among  the  t(^  five 
reliability  concerns  for  most  utilities,  according  to  John  Pesca- 
tore,  an  analyst  at  Gartner.  Says  Roxey:  “It’s  clearly  in  the  top  10." 
But  then,  so  is  vegetation  management. 

Compoundii^  the  challenge  is  the  fact  that  regulated  utilities 
tend  to  have  tight  budgets.  That’s  a  big  problem,  says  Paul  Kurtz, 

company  CyberPtnnt  International  and  former  senior  director  for 
critical  infrastructure  protection  at  the  White  Houses  Homeland 

lutions,”  he  says.  “How  do  you  do  this  without  hemorrhaging  cash?” 

Falling  Behind 

Most  experts  agree  that  critical  infrastructure  providers  have  a 
long  way  to  go.  Melissa  Hathaway,  president  of  Hathaway  Global 
Strategies,  was  the  C^ma  administration's  acting  senior  director 
for  cyberspace  in  2009.  That  year,  she  issued  a  Cyberspace  Pdicy 
Review  report  that  included  recommendations  for  better  protect¬ 
ing  critical  infrastructure,  but  there  hasn’t  been  much  movement 

National  Cyber  Incident  Response  plan  has  been  published,  but  a 
national-level  exercise,  conducted  in  Jur)e,  showed  that  the  plan 
was  insufficient  to  protect  critical  infrastructure. 

“A  lot  of  critical  infirastructure  is  not  even  protected  fiom  basic 
hacking.  I  don’t  think  the  industry  has  done  enough  to  address 
the  risk,  and  they’re  looking  for  the  government  to  somehow 
offset  their  costs,”  Hathaway  says.  There  is,  however,  a  broad 
recognition  that  critical  infrastructure  is  vulnerable  and  that 
something  needs  to  be  done  about  it. 

The  Department  of  Defense  has  a  direct  stake  in  the  security 
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THE  U.S. 
STRIKE  BACK? 

Most  best  practices  on  dealing  with  cvberattacks  on 
critical  infrastructure  focus  on  defense:  patching 
vulnerabilities  and  managing  risk.  But  should  the  U.S. 
conduct  preemptive  strikes  against  suspected  attackers  - 
or  at  least  hit  back? 

Gen.  Michael  Hayden,  principal  at  security  consultancy 
The  Cherioff  Group,  and  former  director  of  the  NSA  and 
the  CIA.  says  the  cybersecurity  problem  can  be  under¬ 
stood  through  the  classic  risk  equation:  Risk  (R)  =  threat 
(T)  x  vulnerability  (V)  x  consequences  (C).  “If  I  can  drive 
any  factor  down  to  zero,  the  risk  goes  down  to  zero."  he 
says.  So  far.  most  efforts  have  focused  on  reducing  v.  and 
there’s  been  a  shift  toward  C.  with  the  goal  of  determining 
how  to  rapidly  detect  an  attack,  contain  the  damage  and 
stay  online.  "But  we  are  only  now  beginning  to  wonder, 
how  do  I  push  T  down?  How  do  I  reduce  the  threat?" 
Hayden  says.  “Do  I  shoot  back?" 

The  DOD  IS  contemplating  the  merits  of  ■‘cross-domain" 
responses,  says  James  Lewis,  senior  fellow  at  the  Center  for 
Strategic  and  International  Studies.  “We  might  respond  with 
a  missile.  That  increases  the  uncertainty  for  opponents." 

Ultimately,  countries  that  launch  such  attacks  will  pay 
a  price,  says  Howard  Schmidt,  former  cybersecurity  co 
ordmator  and  special  assistant  to  the  president.  The  U.S. 
response  could  involve  economic  sanctions  -  or  it  could 
involve  the  use  of  military  power. 

ROBERT  I  MIICHEIL 
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gerated."  because  the  goal  of  such  attacks  is  to  steal  intellectual 
property,  not  destroy  infrastructure. 

Others  disagree.  "We've  seen  a  new  expertise  developing 
around  industrial  control  systems.  We’re  seeing  a  ton  of  people 
and  groups  committed  to  the  very  technical  aspects  of  these 
systems."  says  Howard  Schmidt,  who  served  as  cybersecurity 
coordinator  and  special  assistam  to  the  president  until  last  May 
and  is  now  an  inkpendent  consultant. 


patches  over  the  past  to  years.  Amoroso  says.  “I  wouldn’t  I 
prised  if  there  are  thousands  of  zero-day  vulnerabilities  th 
unreported.”  And  while  hacktivists  may  brag  about  uncove 
vulnerabilities,  criminal  organizations  and  foreign  govern 
prefer  to  keep  that  information  to  themselves.  “The  nation 
sponsored  atuck  includes  not  only  the  intellectual  proper! 
but  the  ability  to  pre-position  something  when  you  want  tc 
disruptive  during  a  conflict,"  Schmidt  says. 
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:  TO  innovate: 

Companies  like  Google  and  3M  give 
tech  workers  free  time  to  follow  their 
passions.  Could  it  work  for  your 
organization?  by  Howard  Baldwin 


24  CO-,UT«WO«LD  NOVEMBER  5. 


ISYOUR 

IT  DEPARTMENT 
AGUATPUCE 
TOWRK? 

Computerworld’s  20th  annual  Best  Places  to 
Work  in  IT  list  and  special  report  will  honor 
100  organizations  that  offer  great  benefits, 
salaries  and  opportunities  for  training  and 
advancement,  as  well  as  interesting  projects 
and  a  flexible  and  diverse  work  environment. 
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Nominate  an  organization  now  through  Dec.  13, 2012: 

https:/7re5pon5e.questback.con!  idg/bpnoms2013 


CHECKLIST;  HOW  TO  GET  STARTED 


■  DHMialatp«(M(i|i«flla(tt*pnpHiaBtadii<B 
WWWWM0  There  are  no  hartf-antf-IM  rules,  and  you  have  to 
balance  employee  productivity  witti  die  less-restricted  idea  d  innovatioa 


WMar  par  «Mk  m  wmn,  because  that  would  represent  a  10% 
cut  in  the  amount  ol  tune  employees  spend  on 'real  work.' 


a  MifetpirtklpalliainlBalarv.  Not  everyone  in  your  IT 
department  may  want  to  play. 


Ailassian's  biggest  payoff  came  Irom  an  idee  generated  by  a  OA  analyst 


don't  go  on  and  on  without  delivering  results. 


a  OHBHarkaafHMnppartaliftmlHL  will  you  use  digital 
lools.suchaswiliislorasynclirontiusd6cussiflns.oranualphysicalfa- 
ciSties.  such  as  CDOIerence  rooms  where  teams  can  meet  in  person? 


a  acaaatalraikiapialtcti,  not  just  the  successes.  An  idea  that 
didnT  bear  fruit  initially  mghi  be  worth  pursuing  later. 


True,  you're  already  paying  people  to  do  their  jobs,  but  you  might 
want  to  think  about  bonuses  if  an  innovation  project  results  in  a  huge 
payoff  -  like  Atlassian's  Bonfire  did. 


atcadiia*.  Supporhng  innovation  may  hot  deliver  immediate 
resulls.  and  you  should  feel  free  to  tweak  the  program  based 
on  feedback  by  the  participants. 

-  HOWARD  BALDWIN 


cooi{>ame5  that  are  doing  it  and  that  it's  hecoining  more  popular." 

Why?  Because  otherwise,  innovation  doesn't  happen.  “The 
CEO  may  say  innovation  is  one  of  the  company's  top  three 
priorities.”  says  Doug  Williams,  a  Forrester  Research  analyst, 
"but  there's  always  something  happening  in  the  short  term  that 
pushes  the  long-term  innovation  off.” 

When  innovation  gets  postponed  for  too  long,  companies 
languish  —  witness  RlM’s  reversal  of  fortune  and  Microsoft's 
vilification  in  the  mainstream  media  for  its  failure  to  innovate. 
“Innovation  programs  remove  the  constraints  that  accompany 
traditional  work  and  offer  a  safe  space  for  bilure,"  Pink  says. 
“That  lets  people  try  riskier  things." 

rime  Off  Pros  and  Cons 

Sometimes  known  as  innovation  time  off,  or  ITO,  creativity  pro¬ 
grams  aim  to  battle  stagnation  in  multiple  ways.  For  one  thing, 
by  giving  employees  the  freedom  to  explore  and  be  creative,  they 
can  improve  morale  and  help  make  individuals  more  pnxhictive 

result  can  be  a  product  or  internal  tool  that  boosts  companywide 
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Creativity  programs  also  represent  a  new  way  to  help  retain  em¬ 
ployees  in  today’s  competitive  labor  market.  “The  old  motivational 
techniques  have  run  their  course,"  says  Pink.  "We've  oversold  the 
carrot-and-stick  and  undersold  quieter  forms  of  motivation." 

"It's  energizing  fiw  employees  to  take  a  break  from  their  day-to- 
day  business  and  think  creatively  about  solving  other  problems  or 
using  technology  in  a  different  way,"  says  Williams.  "Employees 
recognize  it  as  something  valuable." 

None  of  which  is  to  say  there  aren’t  downsides  to  such  pro¬ 
grams.  For  some  managers,  it’s  hard  to  let  staffers  spend  even  an 
occasional  half-day  on  an  outside  project  without  expecting  im¬ 
mediate  results.  For  employees,  it  can  be  hard  to  shift  focus  and 
take  up  something  amorphous  when  teal-world  deadlines  loom. 

But  some  people  who  have  participated  in  such  programs  say 
the  potentbl  for  positive  results  is  worth  it. 

"When  I  started  here,  one  of  the  first  things  I  heard  was  that  the 
IT  department  had  lots  of  ideas,  but  few  saw  the  light  of  day."  says 
Mamatha  Chamarthi,  vice  president  and  CIO  of  business  technolo¬ 
gy  solutions  at  Consumers  Energy,  an  electric  and  natural  gas  utility 
in  lackson,  Mkh.  "Having  a  20%  program  lets  ideas  bubble  up,"  she 
says.  "Sometimes  you  need  to  unleash  a  grass-roots  level  of  passion 
to  generate  more  innovative  and  transformational  changes." 

How  Much  Time  Is  Enough? 

When  setting  up  an  innovation  program,  one  of  the  hardest  deci¬ 
sions  to  make  is  how  much  time  should  be  devoted  to  it.  There 
is  little  consistency  on  this  score  among  organizations  that  have 
such  programs.  The  time  allotted  ranges  from  a  few  days  per  year 
to  one  day  each  quarter  to  one  day  per  week. 

One  thing  is  clear  Because  Goog^’s  program  is  so  well  known, 
“20%  time"  has  become  something  of  a  guiding  principle  for 
the  way  irmovation  initiatives  should  be  structured,  but  that’s  a 
gold  standard  that  ntrt  many  employers  ate  able  to  match.  “Some 
companies  simply  don’t  have  the  luxury  to  give  employees  20%  of 
their  week  to  work  this  way."  says  Williams,  noting  that  10%  — 
about  an  afternoon  each  week  —  may  be  more  reasonable. 

And  even  less-frequent  programs  can  deliver  tangible  results. 

Take  the  Innovation  Days  program  at  the  University  of  Pennsyl¬ 
vania,  which  was  created  by  Robin  Beck,  the  school's  vice  presi¬ 
dent  of  information  systems  and  computing,  to  give  employees  a 
chance  to  come  up  with  IT-related  improvements  of  their  choice. 

"We  want  to  foster  innovation  and  creativity,  but  the  day-to-day 
reality  of  delivering  IT  gets  in  the  way,"  Beck  eiqrlains.  Officially 
settirig  aside  time  for  such  efforts  shows  that  innovation  is  a  priority. 

The  twist?  Exploration  Days  is  a  three-day  event  that  ukes 
place  just  once  a  year.  The  process  begins  with  IT  staffers  posting 
ideas  and.  if  interested,  recruiting  collaborators  on  an  Explora¬ 
tion  Days  wiki.  Teams  and  individuals  work  on  their  projects  on 
one  of  two  days  (in  order  to  provide  flexibility).  On  the  third  day, 
dubbed  Report  Out  Day,  there’s  an  ice  cream  social  and  partici¬ 
pants  give  presentations  about  what  they've  achieved. 

Beck  and  her  team  considered  both  monthly  and  quarterly  pro¬ 
grams  before  deciding  to  start  with  an  annual  event.  The  first  took 
place  in  August  of  2011,  and  a  second  one  was  held  this  summer. 

Participation  isn’t  mandatory,  but  Beck  reports  that  most  of  her 
300  employees  participated  last  year,  and  last  year’s  projects  have 
bom  fruit.  One  team  tackled  the  problem  of  configuring  sturlents’ 
persortal  devices  for  the  university's  wireless  network.  It  developed 
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i  simpler  process  that  saves  time  for  both  students  and  IT  stafiers. 

Atlassian,  a  Sydney-based  maker  of  collaboration  software,  has 
two  innovation  programs;  a  20%  time  initiative  and  one  called 
Shipit,  which  takes  place  quarterly  over  24  hours. 

Shipit  starts  at  4  p.m.  on  a  Thursday  and  goes  to  4  pan.  the 
following  day.  “The  idea  is  to  give  employee;  the  opportunity  to 
itch  something  they  wanted  to  scratch,"  says  company  president 
Jay  Simons,  adding  that  employees  can  work  solo  or  in  teams, 
usually  of  no  more  than  five. 

Projects  can  be  a  prototype 
of  a  new  feature  or  a  fix  to  an 
existing  product,  but  whatever 
it  is,  it  has  to  be  completed  in 
24  hours.  "By  compressing  the 


achievable,"  Simons  explains. 

Another  key  requirement: 

The  results  of  Shipit  work  must 
be  presented  to  co-workers  in 
a  five-minute  demo.  “Even  if 
someone  tried  to  build  a  widget 
and  failed,  they  have  to  give 
a  presentation,"  says  Simons. 

“Because  then,  five  people  will 
go  up  to  that  develr^r  after¬ 
ward  and  offer  ideas.” 

Only  about  one-third  of  the 
company's  500  employees  — 
mostly  engineers  —  participate 
in  the  20%  program  “because 
it's  hard  to  dedicate  a  day 
a  week  to  something,”  says 
Simons.  “Products  have  to  ship, 
and  sometimes  development 
takes  longer  than  estimated.” 

Payoffs 

The  benefit  of  having  two 
programs  is  that  each  serves  a 
different  purpose,  according  to 
Simons.  The  Shipit  program 
has  been  the  source  of  “hun- 
drerJs  of  small  improvements 
to  business  processes,”  he  says. 

the  other  hand,  has  yielded 
fewer  results,  but  those  results 
have  had  a  big  impact. 

How  big?  One  20%  time  program  evoived  into  an  open-source 
JavaScript-based  graphic  manipulation  tool  called  Raphael. 

And  in  another  20%  time  project,  a  quality  assurance  engi¬ 
neer  —  not  even  a  software  developer  —  built  a  prototype  of  an 
internal  bug-tracking  system  for  the  company's  JIRA  software, 
which  tracks  software  development  projects.  The  result  was 
so  impressive  that  Atlassian  turned  it  into  a  product.  Bonfire, 
which  started  shipping  in  July  2011.  Total  revenue  at  last  tally; 
$1  million,  and  the  QA  engineer  is  now  its  product  manager. 

Not  all  innovations  pay  off  quite  so  hamtemely,  or  yield  any 


monetary  return  at  all  —  nor  are  they  designed  to. 

At  Detroit-based  online  mortgage  lender  Quicken  Loans,  CK) 
Linglong  He  oversees  a  program  called  BulletTime  (so  named 
because  the  projects  are  quick  and  targeted).  The  idea  is  for  all 
750  IT  team  members  to  take  time  to  work  on  personal  projects 
every  Monday  from  i  p.m.  till  the  end  of  the  workday. 

NouWe  BulletTune  projects  include  an  internal  application  called 
Qwicktionary  that  lists  all  of  the  abbreviations  used  by  the  company; 
a  mortgage  calculator  for  clients;  attd  an  iPhone  app  called  North- 

Star  that  indicates  the  location 


Security  question  *17 


Can  your  Next-Gen  Firewall 
pass  the  ultimate  security 
and  performance  test?  How 
about  excelling  in  three? 


The  DeU”  SonicWAlL”  SuperMassive”  E10800  came 
out  on  top  in  the  Gear  Choice  performance  test 
for  Next-Gen  Firewalls.  Delivering  proven  speed. 

protection  and  control  it  came  close  to  maxing  out 

the  test  bed's  network  capacity,  not  only  in  ftrewall* 
only  tests  but  also  when  configured  with  IPS  and 
anti-malware  features  enabled.  The  SuperMassive 
E10800  decrypted  SSL  traffic  at  up  to  4.8  Gbps  and 
led  the  way  in  application  detection. 

DeU  SonicWAU  secures  the  enterprise. 
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of  the  company's  loo-phis 


Star  had  a  positive  impact  on 
meeting  productivity,  because 
people  aren't  late  to  meetirigs 
anymore,”  says  He. 

Set  Parameters 

Allowing  something  as  amor¬ 
phous  as  time  out  to  innovate 
may  be  anathema  to  some  IT 
organizations  and  managers, 
but  supporters  say  techies 
are  uniquely  suited  to  such 
programs.  "Innovation  and 
creativity  are  an  imporunt 
part  of  what  any  IT  oiganiza* 
tion  does,”  says  Penns  Beck. 

That  said,  ITO  programs 
need  guidelines.  Consum* 
ers  Energy  has  internal 


use  to  post  ideas  and  form 
teams.  Chamartbi  and  her 
staff  meet  weekly  to  review 
the  ideas.  If  the  business 
side  likes  a  prefect  enoi^  to 
fund  it.  it  has  to  reduce  the 
priority  of  another  profect. 
The  underlying  message  to 
the  IT  team;  20%  projects 
have  to  have  business  value. 

And  no  matter  what  the 
goal,  CIOs  advise  patience 
when  it  comes  to  implement¬ 
ing  innovation  programs. 
"You  have  to  set  the  expecta¬ 
tions  that  this  is  an  experi¬ 
ment  and  it  may  change  along  the  way,"  says  He.  “You  also  have 
to  build  flexibility  in.  Too  often,  technology  leaders  want  to  build 
a  perfect  solution  from  day  one.” 

Finally,  warns  Beck,  if  innovation  and  creativity  are  not  part 
of  your  existii^  culture,  you're  not  going  to  instill  those  quali¬ 
ties  in  a  single  day.  "It  has  to  be  something  you  encourage  on  a 
consistent  basis,”  she  says.  "Be  patient.  You're  planting  seeds,  and 
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WHY 

PASSWORDS 

STILL 

FAIL  us. 


Pin  last  summer’s  widely  publicized 
"epic  hack"  of  tech  journalist  Mat 
Honan  —  Amazon,  Apple  and,  to 
a  lesser  extent,  Google  and  Honan 
himself  share  the  blame. 

But  passwords  played  a  part  in  the  perfect  storm 
of  user,  service  provider  and  technology  failures  that 
wiped  out  Honan's  entire  digital  life.  As  he  concluded 
in  his  account  of  the  hack,  “Password-based  security 
mechanisms  —  which  can  be  cracked,  reset  and 
socially  engineered  —  no  longer  suffice  in  the  era  of 
cloud  computing.” 

The  problem  is  this:  The  mote  complex  a  password 
is,  the  harder  it  is  to  guess  and  the  more  secure  it  is. 
But  the  more  complex  a  password  is,  the  more  likely  it 
is  to  be  written  down  or  otherwise  stored  in  an  easily 
accessible  location,  and  therefore  the  less  secure  it 
is.  And  the  killer  corollary:  If  a  password  is  stolen,  its 


Passwords  aren’t  working,  and  replacement  technologies  haven’t  caught  on. 

Why  can’t  we  develop  a  simple  way  to  secure  our  data?  by  Howard  Baldwin 


relative  simplicity  or  complexity  becomes  irrelevant. 

Passwonl  security  is  the  common  cold  o(  our  technological  age, 
a  persistent  problem  that  we  can't  seem  to  solve.  The  technologies 
that  promis^to  reduce  our  dependence  on  passwords  —  biomet¬ 
rics,  smart  cards,  key  fobs,  tokens  —  have  all  thus  lar  fallen  short 
in  terms  of  cost,  reliability  or  other  attributes.  And  yet,  as  ongoing 
news  rqmrts  about  password  breaches  show,  password  management 
is  now  more  important  than  ever. 

All  of  which  makes  password  management  a  nightmare  for 
IT  shops.  “IT  faces  competing  interests,”  says  Forrester  analyst 
Eve  Maler.  “They  want  to  be  compliant  and  secure,  but  they  also 
want  to  be  fast  and  expedient  when  it  comes  to  synchronizing 

Is  there  a  way  out  of  this  scenario?  The  answer,  surprisingly. 


As  our  lives  proliferate  online,  the  sheer  number  of  passwords 
that  any  one  person  is  required  to  use  becomes  a  problem.  The 
Ponemon  Institute  conducted  a  study  several  years  ago  to  deter¬ 
mine  how  many  passwords  people  could  remember.  For  most 
people,  it  was  one  or  two;  some  could  manage  three. 

“That  means  you  have  a  top-secret  password  for  your  bank," 
phis  one  other  password  “for  everything  else,"  says  Foneroon.  “If 
someone  steals  [the  latter],  they  can  probably  get  other  challenge  and 
verification  information,  like  the  name  of  your  first-grade  teacher." 

And,  despite  IT’s  best  efforts,  users  continue  to  fall  for 
phishing  attacks.  “When  we  educate  people  about  phishing, 
the  number  of  people  who  fall  for  it  goes  down,"  says  Jonathan 
Feldman,  director  of  IT  services  fe)r  the  city  of  Asheville,  N.C. 
“But  it  never  goes  down  to  zero." 


may  be  yes.  There's  little  consensus  on  what  the  best  solution  will 

be,  but  consultants  and  IT  executives  express  optimism  about  the 

future.  They  cite  technologies  such  as  single  sign-on,  two-factor 

authentication,  machine-to-machine  authentication  and  better 
biometrics  as  wap  to  strengthen  security  —  eventually.  For  now, 
each  still  has  its  drawbacks. 

The  Problem  With  Passwords 

Despite  years  of  well-publicized  breaches,  weak  passwords  still 
subvert  IT  security,  but  the  most  obvious  solution  —  strong  pass¬ 
words  —  comes  with  its  own  set  of  ptoblems- 

Complex  passwords  annoy  or  stymie  users,  who  subsequently 
take  up  IT’s  time  asking  for  password  resets,  thereby  lowering 
productivity  for  both  groups.  The  result,  laments  Maler;  “IT  ends 


And  then  there  are  hackers.  Even  strong  passwords  can  be 
stolen  in  batches,  as  multiple  high-profile  cases  have  shown. 

All  of  which  makes  a  strong  case  for  a  Plan  B. 

Short-term  Solutions:  SSO  and  LOAP 

In  the  short  term.  Plan  B  to  many  IT  executives  is  single  sign-on 
(SSO)  technology  or  the  Lightweight  Directory  Access  Protocol 
(LDAP). 

Single  sign-on,  as  its  name  implies,  lets  users  log  in  once  and  then 
authenticates  them  for  multiple  systems.  LDAP,  which  runs  on  IP 
networks,  works  with  Microsoft’s  Active  Directory  to  allow  any  ap¬ 
plication  using  Active  Directory  to  accommodate  the  same  pasvrotd. 

Forrester’s  Maler  notes  that  one  of  the  big  advantages  of  single 
s^n-on  is  that  it  eliminates  the  need  to  have  multiple  systems 


SECURITY 


dows-based  applications  and  custom  applications  that  were  never 
designed  to  acknowledge  the  existence  of  AD,"  says  a  retail  indus¬ 
try  IT  executive  who  asked  that  his  name  not  be  used.  "Getting 
them  to  talk  to  each  other  is  an  investment  of  time  and  money, 
and  it's  not  always  our  highest  priority." 

Feldman,  meanwhile,  points  out  that  SSO  has  drawbacks  of  its 
own.  "If  your  password  gets  compromised  in  one  place,  it’s  com¬ 
promised  everywhere,"  he  says. 

If  an  SSO  system  is  breached  by  a  phishing  expedition,  the 
hackers  can  then  go  to  the  website  and  try  passwords  to  get  to 
other  parts  of  the  system,  he  explains.  Or  they  can  start  probing 
for  an  IP  stack  or  a  GRE  (generic  touting  encapsulation).  Instead 
of  SSO.  Feldman  uses  digiul  security  certificates  to  limit  the 
city's  vulnerability. 

Overall,  SSO  makes  users'  lives  simpler  and  LDAP  makes 
security  administration  easier.  They're  not  perfect,  sources  agree, 
but  together,  they  do  provide  some  interim  value. 

Biometrics 

Other  highly  touted  security  technologies  continue  to  evolve,  but 
at  a  pace  that’s  too  slow  for  most  IT  managers.  And  the  newer 
technologies  have  flaws  of  their  own. 

For  example,  smart  cards  aren't  widely  deployed  but  are  frequent¬ 
ly  used  in  h^hly  secure  installations.  Earlier  this  year,  however,  the 
smart<atd  readers  at  the  Departmertt  of  Defense  were  breached  by 
malware  that  sniffed  the  PINs  on  smart  cards.  "It  was  kind  of  like 
protecting  a  nuclear  facility  with  a  bouse  key,"  says  Maler. 

Nor  has  biometrics  taken  ofl^  —  yet.  The  most  extensive  deploy¬ 
ment  of  biometric  technology  is  in  fingerprint  readers  on  Lenovo 
ThinkPads,  which  SBU  used  for  a  while.  It  was  a  cool  feature  until 
the  settsots  got  dirty  and  it  started  taking  six  swipes  before  the 
system  recogrtized  the  user’s  fingerprint,  according  to  Capizzi. 

"Some  people  said  it  worked  great,  but  others  found  it  more 
annoying  than  typing  in  a  password."  he  says,  noting  that  the 
readers  also  made  the  laptops  more  expensive.  “From  a  corporate 
perspective.  I'm  not  sure  biometrics  is  there  yet.” 

Nevertheless,  the  retail  industry  IT  executive  says  he  plans  to 
investigate  biometrics  for  a  legacy  point-of-sale  system  that  can’t  be 
integrated  with  Active  Directory.  “Our  salespeople  aren’t  assigned 
to  a  register.  Instead,  there  are  multiple  POS  terminals  throughout 
the  store,  so  they’re  logging  in  and  out  often."  He  says  he’d  like 
to  retrofit  the  POS  terminals  so  employees  can  access  the  system 
with  the  tap  of  finger,  noting  that  it  would  be  an  improvement  over 
users  mistyping  passwords  or  forgetting  them  altogether. 

Security  consultant  Poneroon  holds  some  optimism  for 
biometrics  —  although  he  chuckles  at  instances  like  the  botched 
Department  of  Homeland  Security  installation  at  the  border 
crossing  at  Nogales.  Ariz..  where  the  scanner  was  installed 
upside  down  and  failed  everyone  who  tried  it.  "Implemented 
correctly,  some  biometrics  systems  are  really  cool,"  he  says.  "The 
Israelis  have  created  very  robust  voice-recognition  tools  that  can 
tletermine  identity  within  a  nanosecond." 

He  says  he  believes  that  voice  recognition  tools  will  be 
more  viable  than  facial  recognition,  fingerprint  or  iris  scan¬ 
ning  systems.  “People  are  too  nervous”  about  havii^  their  eyes 
scanned,  be  points  out. 

Feldinan  says  he’s  investigated  almost  everything  under  the  sun. 
He's  not  bullish  on  biometric  tools  because  he's  seen  too  many 
of  them  fail.  He’s  not  keen  on  key  fobs  (which  display  a  one-time 


access  code  after  the  user  enters  a  PIN)  because  they  have  to  be 
discarded  after  a  few  years,  and  because  he  doubts  that  users 
would  report  lost  key  fobs.  And  after  the  breach  of  EMC’s  RSA 
security  division  last  year,  he’s  not  convinced  that  the  vendor's 
method  of  displaying  access  codes  —  on  a  USB-based  hardware 
token  —  is  viable  either. 

Cellphones  to  the  Rescue? 

That  doesn’t  mean  Feldman  is  down  entirely  on  device  authentica¬ 
tion,  which  strengthens  the  password  updating  process  by  using  a 
second  trusted  channel  of  communication  in  addition  to  a  primary 
network  connection.  Feldman  is  looking  at  using  cellphones  as  the 
secondary  channel.  “Everyone’s  got  a  phone."  he  reasons. 

Instead  of  an  access  code  displaying  on  a  hardware  token,  it 
would  appear  in  an  SMS  or  text  message  on  a  j^ne.  Users  wanting 
to  log  in  to  a  data  center,  then,  would  enter  both  their  password  and 
the  randomly  generated  access  code  received  via  their  phone. 

Forrester’s  Maler  also  likes  this  idea.  "IT  generates  a  new,  one¬ 
time  password  and  provisions  it  to  the  enterprise  user  by  means 
of  an  alternate  channel  —  in  this  case,  the  carrier  network. 

That’s  really  powerful,  because  it’s  part  of  a  password  policy  that 
forces  change,  and  it’s  strong  authentication  because  it  involves 
something  you  know  —  the  password  —  and  something  you  have 
—  the  computing  device." 

Case  Western’s  Siu  is  even  more  enthusiastic  about  device  au¬ 
thentication.  “It’ll  keep  people  from  sharing  credentials,  because 
for  that  to  work,  someone  has  to  hand  over  their  phone,  and 
no  one  wants  to  do  that,”  he  says.  The  increasing  popularity  of 
smartphones  improves  the  feasibility  of  this  method. 

Ponemon  agrees,  and  adds  that  devices  even  smarter  than 
smartphones  may  improve  security.  He  believes  device  recogni¬ 
tion  technology,  where  the  system  recognizes  your  computer 
based  on  its  IP  address  and  other  recognizable  factors,  will  take 
hold,  especially  with  security  capabilities  being  built  into  proces¬ 
sors.  “It’s  technology  that  will  get  people  in  and  out  of  systems 
safely,”  he  says.  "Computers  with  these  chips  will  be  low  cost,  but 
they’ll  be  useful  in  a  wide  array  of  scenarios." 

Whatever  device-based  technology  wins,  it  will  involve  a  set 
of  checks  and  balances.  “We'll  always  have  password  problems," 
acknowledges  Siu.  “While  users  always  want  a  single  place  to 
log  in,  we're  goii^  to  need  multiple  levels  of  authentication."  He 
anticipates  that  in  the  future  we'll  carry  something  that  authen¬ 
ticates  us,  perhaps  our  phone  or  something  with  an  RFID  tag, 
the  just  as  a  highway  toll  transponder  authenticates  a  car  at  a  toll 
booth  or  a  key  fob  lets  you  start  a  Prius  when  it’s  in  the  vicinity. 

Ultimately,  even  the  security  experts  ate  r^imistic.  “We’re 
at  a  turning  point  in  the  security  industry,"  insists  POnemon. 
"There  are  lots  of  venture  capital  investments  looking  at  this 
facet  of  security.  It’s  a  response  not  just  to  [breaches  at  popular 
sites  such  as  Linkedin],  but  to  hackers  in  China  and  Russia  who 
are  looking  for  weaknesses." 

With  the  threat  vector  high,  so  too  is  the  likelihood  of  a  suc¬ 
cessful  technological  response.  In  the  meantime,  IT  will  keep 
on  trying  to  exhort  users  to  choose  stronger  passwords  —  and 
that  includes  their  own  systems  administrators.  As  Maler  relates, 
a  recent  Forrester  study  found  that  the  most  common  admin¬ 
istrator  password  for  Microsoft  Exchange  is  —  you  could  have 
guessed  it  —  password].  • 

Baldwin  is  a  frequent  Computerworld  contributor. 
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ITHOUGHTIwasa  security  adoles¬ 
cent.  but  I'm  really  just  a  toddler. 

Many  IT  managers  can  prob¬ 
ably  tell  from  that  statement  that 
I  have  been  looking  into  maturity 
models.  I  did  that  at  the  retpiest  of  our 
CIO,  who  asked  all  of  his  department 
managers  to  develop  a  maturity  model 
and  identify  where  we  ate.  Perhaps 
the  topic  came  up  at  a  conference  he 
attended,  but  no  matter.  I  had  never  as¬ 
sessed  the  maturity  of  my  department  at 
my  current  company. 

My  first  step  was  to 
turn  to  the  Internet  to 
try  to  find  the  maturity 
model  that  could  best 

security  program  against 
industry  standards.  I  wanted  something 
that  would  let  me  communicate  the  level 
of  our  security  maturity  in  one  slide. 

I  soon  found  that  there  are  a  lot  of 
models  to  choose  from.  They  range  from 
the  complex,  requiring  lengthy  calcula¬ 
tions  and  surveys,  to  the  fairly  simple. 

sources,  I  chose  the  Gartner  Security 

Maturity  Model,  nuking  a  few  modifi¬ 

cations  of  my  own.  The  Gartner  model 
segments  maturation  into  phases:  Bliss¬ 


ful  Ignorance  (or  what  I  call  the  initial 
phase).  Awareness  (or  the  developmentel 
phase).  Corrective  Action  (or  the  define 
and  manage  phase)  and  Operational 
Excellence  (or  the  optimize  phase). 
According  to  Gartner,  about  lulf  of  all 
companies  are  in  the  Awareness  phase, 
and  only  5%  ever  reach  Operational  Ex¬ 
cellence.  In  other  words,  most  companies 
know  where  their  weaknesses  are  but  are 
not  yet  taking  action  to  correct  them. 

As  I  worked  my  way  through  the 
questions  that  Gartner  provides  to 

help  clients  position 
themselves  on  the 

became  painfully 
obvious  that  my  secu¬ 
rity  program  is  not  as 
as  I  had  thought. 

Sure,  we’ve  spent  a  lot  of  money 
deploying  some  of  the  standard  buzz¬ 
word  technologies:  SIEM,  DLP,  NAC,  file 
encryption,  IPS,  content  filtering,  multi¬ 
factor  authentication,  spam  filtering, 
endpoint  protection.  I  luve  developed 
a  comprehensive  set  of  policies  based 
on  ISO  27001  and  created  awareness 
training  as  well  as  various  procedures 
and  processes.  But  with  many  of  these 
technologies,  we  ate  still  in  our  infancy 


in  terms  of  capabilities,  coverage,  deploy¬ 
ment  and  user  acceptance. 

For  example,  while  we  have  deployed 
data  leak  prevention  technology  (that’s 
the  “DLP”  in  the  list  above)  to  detect 
when  key  documents  leave  the  company, 
we  have  not  enabled  prevention  or  block¬ 
ing  features;  we  can  monitor  but  not 
prevent.  We  also  lack  network  sensors  in 
every  office,  leaving  gaps  in  coverage. 

Then  there’s  our  network  access 
control  (NAC)  deployment.  We  have 
rolled  that  out  only  to  large  offices 
—  and  not  even  to  all  of  those  —  and 
we  currently  monitor  only  for  devices 
connected  to  the  network.  We  haven’t 
yet  enabled  the  enforcement  of  NAC, 
since  we’re  still  tuning  the  deployment 
and  dealing  with  exceptions  and  other 
challenges  related  to  mobile  devices  and 
nonstandard  systems. 

On  the  other  hand,  some  of  our 
security  technologies  ate  fully  mature. 
Our  firewalls  have  intrusion  prevention 
enabled  and  actively  block  malicious 
traffic.  We  also  enable  URL  filtering  on 
our  firewalls  to  block  access  to  sites  that 
represent  legal  or  security  risks. 

But  when  1  step  back  and  evaluate  our 
security  landscape,  I  realize  that  we’re 
still  very  much  in  what  Gartner  calls  the 
Awareness  phase  —  in  fact,  my  honest 
assessment  is  that  we’re  in  the  lower 
quadrant  of  that  phase. 

My  goal  for  2013  is  to  accelerate 
the  security  program  by  enforcing 
policies,  and  thereby  move  us  closer  to 
joining  that  magical  5%  of  companies 
that  have  achieved  Operational  Excel¬ 
lence.  For  now,  that’s  a  pipe  dream,  but 
it’s  a  worthy  goal.  * 

This  weeks  journal  is  written  by  a  real 
security  manager.  “Mathias  Thurman,” 
whose  name  and  employer  have  been 
disguised  [or  obvious  reasons.  Contact  him 
at  matluas_thurnuin@yahoo.com. 
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Bring  the  efficiency  of  cloud  computing  inside  your  datacenter 
with  Windows  Server  2012,  the  only  server  built  from  the  cloud 
up  It  has  storage  virtualization  built  in,  letting  you  configure 
your  storage  into  a  single  elastic  and  efficient  storage  pool. 
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Change  Management 
Is  Not  Optional 


You  can’t 
assume 
that  if  you 
just  design 
abetter 
approach, 


IGH-IMPACT  PROJECTS  —  those  aiming  for  streamlined, 
redesigned  and  transformed  business  processes  —  require  more 
than  incremental  change.  But  few  people  embrace  change 
enthusiastically.  Staff  can  be  stiffly  resistant  to  new  processes. 


interfaces  or  job  responsibilities.  It’s  a  challenge 
that  calls  for  eflective  change  management. 

Unfortunately,  even  multinational  enterprises 
often  ignore  change  management  until  problems 
arise.  Many  good  project  teams  naively  assume 
that  if  they  just  design  a  better  approach,  people 
will  automatically  embrace  the  new  system.  (I'm 


teams  that  saw  value  in  change  management 
had  to  create  small  additional  projects  (which 
received  less  scrutiny)  for  training,  documenta¬ 
tion  and  change  management.  Unfortunately,  this 
approach  resulted  in  out-of-sync  schedules  and 
poor  integration  among  other  project  activities, 
severely  hampering  change  management  efforts. 
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The  Outside-the-Box  Job  Interview 
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CRftZY 


•t  nilkiiilulk  and  takas  If  ymalraiiv  km  tfee  Job.  For  example, 

if  the  interviewef  menlians  a  new  knplenientation,  say.  "When  can  we  get  started?' 
One  successful  job  candidate  insists  this  strategy  has  resulted  in  several  job  offers. 
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Place  your  Labor  Certification  Ads  Here 


Are  you  frequently  placing 
legal  or  immigration  advertisements? 

Let  us  help  you 
put  together  a 
cost-effective  program 
that  will  make  this 
time-consuming 
task  a  little  easier. 

Contact  us  at: 

800.762.2977 
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SHARKS' NK 


washed  the  computer, 
motherboard  and  all.  In  soapy  water. 
Then  we  rinsed  it  with  alcohol  and 


Mmm!  Baked  Apple! 


This  big  ad  agency  leases  MacBook  Pros  for  its  freelancers,  reports  a  pilot  fish 
at  the  outfit  that  provides  the  laptops.  "One  freelancer  stopped  working  for  the 
company,  but  did  not  return  the  MacBook  Pro."  fish  says.  "Company  eventually 
noticed  they  were  still  paying  rent  on  this  unit  and  worked  oi 
requested  its  return  and  asked  us  to  arrange  collection.  Meanwhile,  the  freelar 


replaced  all  the  CMOS,  and  it  worked 
fine.  And  then  we  told  the  customer 
to  please  put  K  back  in  the  nice  air- 
conditioned  office  where  we  had 
originally  installed  it." 


Recipe  for  Disaster 

It's  the  late  1990s.  and  this  pilot  fish 
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Rogue  IT,  and  Power  as 
An  Obstacle  to  Influence 


We  have  to 
decide:  Do  we 
want  to  be 
powerful  or 
influential? 


Paiil6l«i,CE00f 

Leading  Geeks,  is 
devMed  to  clarifying 
the  murky  world  of 
human  emotion  for 
people  who  gravitate 
toward  concrete 
thinking.  His  newest 
book  is  8  Steps  to 
Restoring  aient  Trust 
A  Professional's  Guide 
to  Managing  Client 
Conflict.  Vou  can 
contact  him  at  info@ 
leadinggeeks.com. 


After  I  wrote  last  month’s  column  on  why  CIOs  don’t  have  more 
influence  with  “the  business,”  I  participated  in  a  fascinating  con¬ 
versation  with  a  group  of  big-company  IT  operations  directors  that 
perfectly  illustrated  how  we  in  IT  undermine  our  own  influence. 


The  discussion  turned  to  rogue  IT,  with  a 
general  consensus  that  it  was  pervasive.  One  es¬ 
timate,  which  was  not  greatly  scoffed  at,  was  that 
rogue  IT  might  constitute  15%  of  the  average  large 
company's  IT  spending. 

But  while  nearly  all  ^  the  ITIeaders  agreed  that 
rogue  IT  was  widespread,  they  showed  little  interest 
in  exploring  why  that  was.  They  didn't  want  to  talk 
about  what  mig^t  drive  line-o(-business  managers  to 
bypass  the  IT  department.  They  didn't  want  to  try 
to  understand  what  the  experience  of  their  business 
partners  m^t  he  like.  Th^  weren't  interested  in 
examining  whether  those  partners  felt  a  lack  of 
control,  a  mistrust  of  the  departmem  or  the  need  for 
speed.  By  staying  silent  on  these  topics,  the  group 
seemed  to  be  dismissing  the  experiences  of  busiiress 
managers  as  irrelevant  excirses  for  bad  behavior. 

It  was  attother  story  when  they  were  asked  how  to 
manage  the  situation.  Silent  rto  more,  nearly  every¬ 
one  was  suddenly  spilling  over  with  advice  like  this: 

■  Threaten  the  vendors.  If  vendors  take  meet¬ 
ings  with  the  lirte-of-business  executives  without 
inviting  IT,  they  should  get  blacklisted. 

■  Require  IT  sign-off  on  purchases.  Tell  the 
purchasing  department  to  divert  any  technology- 
related  requests  to  IT. 

a  Refuse  to  Integrate.  Insist  on  IT  taking 
control  of  any  systems,  data  and/or  people  that 
need  to  work  with  IT-controlled  systems. 

Of  course,  IT  departments  have  good  reasons 
for  wanting  to  centralize  the  control  of  technology 
asseu;  among  other  things,  they  want  to  control 
costs  and  ensure  that  data  is  kept  secure  and 


managed  responsibly.  But  notice  the  theme  in  the 
suggested  responses  to  rogue  IT:  They  all  involve 
exercising  coercive  power  and  preventing  business 
managers  from  doing  what  they  want  to  do.  If 
these  IT  managers  had  been  willing  to  examine 
the  experience  of  their  business  partners,  they 
might  have  realized  that  while  these  techniques 
might  control  rogue  behavior  in  the  short  run,  the 
long-term  effect  will  likely  be  quite  the  opposite. 

These  sorts  of  power  moves  do  nothing  to 
reduce  the  demand  for  rogue  IT  or  to  address 
the  root  causes,  which  often  stem  from  negative 
assumptions  about  the  experience  of  working  with 
the  IT  department.  If  anything,  they  reinforce  the 
beliefs  that  inspire  business  managers  to  go  rogue 
and  strengthen  their  determination  to  do  so,  ulti¬ 
mately  driving  rogue  IT  further  underground. 

Controlling  attitudes  and  heavy-handed  policies 
will  likely  undermine  the  efforts  of  CIOs  wbo 
want  to  increase  IT's  influence  within  the  busi¬ 
ness.  No  matter  how  good  their  personal  relation¬ 
ships  in  the  C-suite,  their  efforts  to  become  influ¬ 
ential  will  be  doomed  if  IT  is  seen  as  an  obstacle 
rather  than  a  helper  at  every  level  below. 

Power  is  about  changing  other  people's  behav¬ 
ior:  influence  is  about  changing  other  people's 
minds.  For  IT  to  become  mote  influential, 
we  must  learn  to  examine,  with  empathy,  the 
thoughts  and  experiences  of  those  we  want  to  in¬ 
fluence.  And  then  we  will  have  to  decide  whether 
we  want  to  be  powerful  or  influential.  Ultimately, 
we  need  to  ask  ourselves,  “Are  we  willing  to  put  in 
the  effrrt  it  will  take  to  change  people's  minds?"  ♦ 
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Because  no  two  businesses  are  the  same. 

Introducing  the  flexible  new  range  of  IBM  System  x  servers. 


No  two  companies  ha«  the  same  FT  requirements.  Thatfe  why  IBM®  has  a  new  range  of  System  X® 
servers,  built  to  handle  workloads  ranging  from  simple  tasks  to  complex  ctoud-based  and  business 
applications.  Featuring  the  latest  Intel®  Xeon®  E5-2600  and  E5-2400  series  processors,  these 
servers  can  be  customized  so  that  you  can  select  features  you  need  today  and  add  more  as  your 
business  needs  change.  Additionally,  IBM  Business  Partners  can  help  you  find  the  server  that 
meets  your  needs  and  pair  it  with  the  right  IBM  storage,  networking  and  software  solutions  for  a 
truly  optimized  infrastructure. 


